Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.11.29 16:00	Machine	s1_win7_x6402
Filename	file_ver_9.rar
Type	RAR archive data, v5
AI Score	Not founds	Behavior Score	6.6
ZERO API	file : clean
VT API (file)
md5	0626f8e71d8a91fd6185df77a50b9fbc
sha256	e91a27ef813d4687de455dc1abd55c7a40cf305e370606065aee1e347c8b6450
ssdeep	196608:eyUELVExN/fV+J84bKDOsvFItL19baaQpVfxA:dH+O8V3Q58PpVO
imphash
impfuzzy

Network IP location

Signature (14cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch	Communicates with host for which no DNS query was performed
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Rules (11cnts)

Level	Name	Description	Collection
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (87cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://5.42.64.41/40d570f44e84a454.php whois	CJSC Kolomna-Sviaz TV	5.42.64.41		clean
http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll whois	CJSC Kolomna-Sviaz TV	5.42.64.41		clean
http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll whois	CJSC Kolomna-Sviaz TV	5.42.64.41		clean
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true whois	Cable Onda	190.218.32.77	27911	mailcious
http://176.113.115.84:8080/4.php whois	OOO Network of data-centers Selectel	176.113.115.84	34795	mailcious
http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll whois	CJSC Kolomna-Sviaz TV	5.42.64.41		clean
http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll whois	CJSC Kolomna-Sviaz TV	5.42.64.41		clean
http://109.107.182.45/trend/home.exe whois	Teleport-TV Ltd	109.107.182.45		mailcious
http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll whois	CJSC Kolomna-Sviaz TV	5.42.64.41		clean
http://apps.identrust.com/roots/dstrootcax3.p7c whois	AKAMAI-AS	23.32.56.80		clean
http://91.92.243.151/api/firegate.php whois		91.92.243.151		clean
http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll whois	CJSC Kolomna-Sviaz TV	5.42.64.41		clean
http://5.42.64.35/timeSync.exe whois	CJSC Kolomna-Sviaz TV	5.42.64.35		malware
http://91.92.243.151/api/tracemap.php whois		91.92.243.151	37889	mailcious
http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll whois	CJSC Kolomna-Sviaz TV	5.42.64.41		clean
https://sun6-22.userapi.com/c236331/u418490229/docs/d5/af51deff0236/Rise.bmp?extra=EXpRRrsiC1jWoHBXbvHHi-UWj6Grj_AkUV6kOcM6llnGcexjn5FNP-bw5dsGphz9RLFdXu9yhqgky3xkYW4oblIQTqffvix3MCOTMskXb-0k6HOQ4MwchfLG5QMetCJb-25Uj9rO2AF0wV3bkQ whois	VKontakte Ltd	95.142.206.2		clean
https://db-ip.com/demo/home.php?s=175.208.134.152 whois	CLOUDFLARENET	104.26.4.15		clean
https://vk.com/doc418490229_668938366?hash=5FoUaQok0B2gtiDqcFJ4bpegTD2SPzTjKqykfkwb3zc&dl=vyAqT5Xe4xXyZ38CTECObVL4GlrQZGRjeNMqsV10szg&api=1&no_preview=1#1 whois	VKontakte Ltd	87.240.137.164		clean
https://vk.com/doc418490229_668951217?hash=0wrWsiW5bDYiOaBQlj1ut0KnfM2SerHsUNtSIA8n0BX&dl=OYYh0EDgZLGz5BRVaNfHjBWXrjyY3hvz3peQaRwCvJ0&api=1&no_preview=1#test22 whois	VKontakte Ltd	87.240.137.164		clean
https://vk.com/doc418490229_668929938?hash=ktCgmKYqoZFe4ivRZzzbNBxLkP2YROgRTvMCbGK5rtc&dl=Q00m1ouR7KqanosInfovEoKZoXQN3pn1V9bUiGxjkk0&api=1&no_preview=1 whois	VKontakte Ltd	87.240.137.164		clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats whois	VKontakte Ltd	87.240.137.164		mailcious
https://thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs/setup294.exe whois	CLOUDFLARENET	104.21.31.74		clean
https://sun6-21.userapi.com/c909418/u418490229/docs/d33/0707ec1a9cdf/cz28.bmp?extra=sGRI4H5niz7RxILWD_zUG_ctDcTaUSYqKpF1niVRahjkUS__H9KEp1ZwCxgayUfHyz5J9Nz_aiGnRQ0XXPiLbkZhLPYOYfkejwL07zdN1voMsYNb9bZ-9a11sYdof2VMN6HvEZGjbQ-CNlvy4A whois	VKontakte Ltd	95.142.206.1		clean
https://sun6-22.userapi.com/c909218/u418490229/docs/d39/b36e581ef415/file281123.bmp?extra=bJDa7mvscY-voQdIZZUksYr44DtBJP-kJssHt6Ahl0Q3MWE0gDizV1mxjHiRYniFlTlcLPFRW15HwvmQT66uxmB5hPFhj1YM_rOkx1nDbAHpSg6gKZ6T_jczVxXuiS1oknRU7mtsN-SX-p1ujg whois	VKontakte Ltd	95.142.206.2		clean
https://vk.com/doc278414724_666785048?hash=BEECsUI0KihIsE0U0nCflKTI5jGLqnjbHrZ921hHoIo&dl=MlH2hFcAGSgijzPzzjYVJFJFj9WHHsyc0XO9FI0mX38&api=1&no_preview=1#ww11 whois	VKontakte Ltd	87.240.137.164		clean
https://api.myip.com/ whois	CLOUDFLARENET	104.26.8.59		clean
https://vk.com/doc418490229_668929802?hash=JGJzKUDsQctWofQ698XiG5TtXyL4jHXW5WO9kYCx09g&dl=jnJZekjN4zWOrABguUPz6zoyi3nglzHT0X5thDnbzMX&api=1&no_preview=1#redline_rm whois	VKontakte Ltd	87.240.137.164		clean
https://sun6-23.userapi.com/c909328/u418490229/docs/d20/f3a7ad2143af/mr_Bro.bmp?extra=LeAgMHn_2s_EVvaW-K_cYV6O9innY-2Ivke0GMPWzt-Bxu8pOVe7OUztp54ANXLikgsNht2ZvFU3mutgl9UWPZP25IvV6FHhjqfrAX2L6bAqCC7SyALVe6WD2lVYAeSAh3Vn80bmEFxY13YjhQ whois	VKontakte Ltd	95.142.206.3		clean
https://vk.com/doc418490229_668929813?hash=CcrmLI7IeiRz0lU8DnAVrRG7zp1VmDOzkljV4YdvlFg&dl=fbXhUnfoCiOFBNTYzP3G4TgseWVmer9dhybO06Dbf3X&api=1&no_preview=1#risepro whois	VKontakte Ltd	87.240.137.164		clean
https://iplis.ru/1Gemv7.mp3 whois	CLOUDFLARENET	172.67.147.32		clean
https://sun6-20.userapi.com/c909518/u418490229/docs/d51/4406a2506340/red_line.bmp?extra=1GONfT_9cHm8rJzJ70PLJj4VAC91m0S4Gca-QG052TIJ_-UwtxALkVaPJ0uZ1FKVXet0kJLaXAZ51JpjRgVz_JEdKGwQ8dO7nEJ5B0ilU4MZvTvhmkRuXRNbW12qcvV2G5xp2F3bcuW3WdIAhQ whois	VKontakte Ltd	95.142.206.0		clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 whois	VKontakte Ltd	87.240.137.164		mailcious
https://api.2ip.ua/geo.json whois	CLOUDFLARENET	172.67.139.220		clean
https://vk.com/doc418490229_668931401?hash=iAFqqX4VsjibbUrFFs3uLnWGAIedldaHRjTySVZmqV0&dl=hZ7Ql2epmfz2WiO8BxGI8cdwo6AK6bLFPyI65FMR3FH&api=1&no_preview=1#maff whois	VKontakte Ltd	87.240.137.164		clean
https://sun6-21.userapi.com/c909328/u418490229/docs/d52/e20150ec5011/crypted.bmp?extra=9_uUHyTbLcXEPVRQVoDX2SVXXD5LQIa5cbmPsUZ3sANv_Z7qrNnfAbxOeHfG8kJovBnfxWwX2ooHmOeZbCi822CJMQagWtI1l_OJm3U24MjBdIRMy5fjt-zQyydy6dHJmDi4Osx0CqpLJikI0A whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc418490229_668767729?hash=65wAhIT5Td9Qu0SLdsQyFz8gx9sXRgxbSsg6rImiJQH&dl=ur2wv4vg3UjVwTO0wSnjKdxULtRETYEfElriZjtBG64&api=1&no_preview=1 whois	VKontakte Ltd	87.240.137.164		clean
https://sun6-21.userapi.com/c237331/u418490229/docs/d28/adfc4032e372/BotClients.bmp?extra=u6VcUNDBHlz4YtdAG5FSiCZtBVvB20an469YZyM8KYXq3Vh2UQ8YRDjgubImLSU5YyYT8TRfRocazjx4RVqpRtmvXLm18R9BiDOzCavVrvZPK5TXT1v1nS1lYeEizYUGJUOVTFeMRkJhvuR3lQ whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test whois	VKontakte Ltd	87.240.137.164		mailcious
https://vk.com/doc26060933_667508201?hash=6VnuemqrvgMX7JGCKhOp7uAllSfIKzasrs7cM1fWhgL&dl=JwY775FVXYxbFspXlbElezWDzeVHhbpuZXgjGmHUTZs&api=1&no_preview=1#setup whois	VKontakte Ltd	87.240.137.164		clean
https://vk.com/doc418490229_668950817?hash=eI5j14qEZqSaw1aKlx69PDkbeE2RaV0OZkR8TCBVlkH&dl=Q3HIRdzNrrMLZtN2dhibLhc4W12UZleN44GQrBv9zQc&api=1&no_preview=1#xin whois	VKontakte Ltd	87.240.137.164		clean
https://sun6-23.userapi.com/c909328/u418490229/docs/d4/513c59e462a3/2s78sh2agf.bmp?extra=wo3J3uOiHbgaAFfUUpBiWNnQ_wa3RVUVpf16WebNgU3tW18tv009ULs2b4b8x5HTDD7XJTCRwRbunl6DgE_pXd2Bpht21e04pZ2mEDxtRrUOB_l46TDy9w7D_F8mVOCDwNW_T0c_ZlIZ8-Hh2A whois	VKontakte Ltd	95.142.206.3		clean
medfioytrkdkcodlskeej.net whois	Petersburg Internet Network ltd.	91.215.85.209		malware
zexeq.com whois	LG DACOM Corporation	211.168.53.110		malware
db-ip.com whois	CLOUDFLARENET	104.26.4.15		clean
thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs whois	CLOUDFLARENET	172.67.175.68		clean
gons32cl.top whois				malware
iplis.ru whois	CLOUDFLARENET	104.21.63.150		mailcious
api.2ip.ua whois	CLOUDFLARENET	172.67.139.220		clean
sun6-22.userapi.com whois	VKontakte Ltd	95.142.206.2		mailcious
vanaheim.cn whois		158.160.82.150		mailcious
iplogger.org whois	CLOUDFLARENET	104.21.4.208		mailcious
ipinfo.io whois	GOOGLE	34.117.59.81		clean
api.myip.com whois	CLOUDFLARENET	172.67.75.163		clean
sun6-23.userapi.com whois	VKontakte Ltd	95.142.206.3		mailcious
sun6-20.userapi.com whois	VKontakte Ltd	95.142.206.0		mailcious
vk.com whois	VKontakte Ltd	87.240.132.72		mailcious
logisticspierias.com whois	ACP	162.0.215.51		malware
sun6-21.userapi.com whois	VKontakte Ltd	95.142.206.1		mailcious
194.169.175.128 whois		194.169.175.128		mailcious
162.0.215.51 whois	ACP	162.0.215.51		mailcious
5.42.64.41 whois	CJSC Kolomna-Sviaz TV	5.42.64.41		mailcious
5.42.64.35 whois	CJSC Kolomna-Sviaz TV	5.42.64.35		malware
109.107.182.45 whois	Teleport-TV Ltd	109.107.182.45		mailcious
194.33.191.60 whois	Aqua Jump Srl	194.33.191.60		mailcious
91.215.85.209 whois	Petersburg Internet Network ltd.	91.215.85.209		mailcious
194.49.94.80 whois		194.49.94.80		mailcious
104.21.31.74 whois	CLOUDFLARENET	104.21.31.74		clean
190.187.52.42 whois	AMERICATEL PERU S.A.	190.187.52.42		clean
34.117.59.81 whois	GOOGLE	34.117.59.81		clean
176.113.115.84 whois	OOO Network of data-centers Selectel	176.113.115.84		mailcious
104.26.8.59 whois	CLOUDFLARENET	104.26.8.59		clean
172.67.147.32 whois	CLOUDFLARENET	172.67.147.32		clean
91.92.243.151 whois		91.92.243.151		mailcious
95.214.26.17 whois	CMCS	95.214.26.17		clean
158.160.82.150 whois		158.160.82.150		clean
194.49.94.152 whois		194.49.94.152		mailcious
194.49.94.97 whois		194.49.94.97		malware
23.67.53.17 whois	Akamai International B.V.	23.67.53.17		clean
104.26.4.15 whois	CLOUDFLARENET	104.26.4.15		clean
87.240.137.164 whois	VKontakte Ltd	87.240.137.164		mailcious
95.142.206.3 whois	VKontakte Ltd	95.142.206.3		mailcious
95.142.206.2 whois	VKontakte Ltd	95.142.206.2		mailcious
172.67.139.220 whois	CLOUDFLARENET	172.67.139.220		clean
95.142.206.0 whois	VKontakte Ltd	95.142.206.0		mailcious
77.232.39.164 whois	JSC Evrasia Telecom Ru	77.232.39.164		clean
172.67.132.113 whois	CLOUDFLARENET	172.67.132.113		clean
95.142.206.1 whois	VKontakte Ltd	95.142.206.1		mailcious

Suricata ids

SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 20
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET INFO EXE - Served Attached HTTP
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
SURICATA HTTP unable to match response to request

Report - file_ver_9.rar

Signature (14cnts)

Rules (11cnts)

Network (87cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure